In addition, I can use a similar method to encrypt the filesystem passphrase using another user's public key, allowing sharing of files.

This seems like a secure method, since the unencrypted key is piped through a file descriptor to the mount command for a one-time read. Am I missing an obvious mistake with my methodology? Is there a safer way?

Please note, we are trying to enable file-level encryption for on-demand use. LUKS would not work, as our machines are always on and thus whole-drive encryption would be useless.

(Note: We are stuck with a version of eCryptFS that does not have the pkcs11-helper)